Trendy autos are more and more outlined by their connectivity, reworking them into refined IoT units on wheels. Whereas this digital evolution enhances the driving expertise, it introduces extreme safety dangers.
A hypothetical state of affairs the place a automotive dashboard is remotely hijacked to run video video games like Doom has develop into a daunting actuality.
This vulnerability stems from the built-in System-on-Chip expertise utilized in automotive head models, particularly these combining software and communication processors to handle car features.
The core difficulty resides within the Unisoc UIS7862A System-on-Chip, a part broadly deployed in trendy car head models.
This chip integrates a modem chargeable for 3G, 4G, and 5G connectivity. Attackers can exploit weaknesses on this modem to achieve preliminary entry.
As soon as inside, they’ll pivot laterally to the appliance processor, successfully seizing management of the dashboard’s working system and compromising person information.
Circuit board of the top unit (Supply – Securelist)
Securelist analysts recognized a important flaw within the modem’s implementation of the 3G RLC protocol.
By analyzing the firmware, they found that the mechanism for dealing with information packet fragmentation lacks enough bounds checking.
This oversight allows distant adversaries to execute arbitrary code on the modem processor, thereby bypassing commonplace mobile safety measures earlier than a safe channel is established.
The invention highlights the fragility of “black field” elements in automotive provide chains.
Exploiting the Stack-Based mostly Buffer Overflow
The technical root of this vulnerability is a stack-based buffer overflow within the perform that parses incoming Service Knowledge Models.
The protocol permits for a limiteless variety of non-obligatory headers in a packet, signaled by a selected bit worth. The parsing algorithm sequentially processes these headers and writes information to a stack variable.
Nevertheless, the stack depth is strictly restricted to 0xB4 bytes, whereas the malicious packet dimension can attain as much as 0x5F0 bytes.
3G protocol stack (Supply – Securelist)
An attacker can set off this overflow by sending a single malformed packet with sufficient headers to exceed the stack buffer. Because the perform lacks stack canary safety, this motion overwrites the return handle.
Stack overflow within the context of the working system (Supply – Securelist)
The researchers used Return-Oriented Programming strategies to bypass the non-executable stack restrictions. They constructed a ROP chain that redirected execution to the AT+SPSERVICETYPE command handler, thereby enabling them to switch information to RAM.
// Pseudo-representation of the weak parsing logic
void process_sdu_headers(packet_data *sdu) {
uint16_t header_stack[0x5A]; // 0xB4 bytes buffer
whereas (sdu->has_more_headers) {
// Writes past buffer with out checking bounds
header_stack[index++] = read_next_header();
}
}
By exploiting this reminiscence corruption, the attackers executed their very own code, as evidenced by patching the reminiscence safety unit desk to grant write permissions.
This entry ultimately enabled them to compromise the Android kernel and run arbitrary purposes on the automotive’s head unit.
Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most well-liked Supply in Google.
